1 /**************************************************************************/
2 /* */
3 /* Copyright (c) Microsoft Corporation. All rights reserved. */
4 /* */
5 /* This software is licensed under the Microsoft Software License */
6 /* Terms for Microsoft Azure RTOS. Full text of the license can be */
7 /* found in the LICENSE file at https://aka.ms/AzureRTOS_EULA */
8 /* and in the root directory of this software. */
9 /* */
10 /**************************************************************************/
11
12
13 /**************************************************************************/
14 /**************************************************************************/
15 /** */
16 /** NetX Secure Component */
17 /** */
18 /** X.509 Digital Certificates */
19 /** */
20 /**************************************************************************/
21 /**************************************************************************/
22
23 #define NX_SECURE_SOURCE_CODE
24
25
26 #include "nx_secure_x509.h"
27
28
29 /* OIDs for X509 items
30 OID encoding scheme:
31 - First byte (ISO prefix) is equal to 40X + Y for X.Y,
32 so 1.2 becomes 40 + 2 = 42 = 0x2A.
33 - Values longer than 7 bits are broken into 7-bit segments.
34 The lowest byte has a top bit of 0 and all the rest are
35 padded and have a top bit of 1. So 113549 (RSA) becomes
36 encoded in 3 bytes (113549 requires 20 bits in 4-bit nibbles
37 and 20 / 7 bits = 3 bytes) Therefore, 113549 becomes an
38 encoded value of 0x86, 0xF7, 0x0D.
39 - See Davies, "Implementing SSL/TLS" ch. 5.
40 */
41 /* OID values that may be of use in the future.
42 static const UCHAR NX_SECURE_X509_OID_ISO_PREFIX[] = { 0x2A }; // 1.2
43 static const UCHAR NX_SECURE_X509_OID_USA[] = { 0x2A, 0x86, 0x48 }; // ISO.840
44 static const UCHAR NX_SECURE_X509_OID_RSA_CORP[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D }; // ISO.USA.113549
45 */
46 static const UCHAR NX_SECURE_X509_OID_RSA[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01}; /* ISO.USA.RSA.1.1.1 */
47 static const UCHAR NX_SECURE_X509_OID_RSA_MD5[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04}; /* ISO.USA.RSA.1.1.4 */
48 static const UCHAR NX_SECURE_X509_OID_RSA_SHA1[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05}; /* ISO.USA.RSA.1.1.5 */
49 static const UCHAR NX_SECURE_X509_OID_RSA_SHA256[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B}; /* ISO.USA.RSA.1.1.11 */
50 static const UCHAR NX_SECURE_X509_OID_RSA_SHA384[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0C}; /* ISO.USA.RSA.1.1.12 */
51 static const UCHAR NX_SECURE_X509_OID_RSA_SHA512[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0D}; /* ISO.USA.RSA.1.1.13 */
52
53 /* static const UCHAR NX_SECURE_X509_OID_NIST_SHA256[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}; */ /* 2.16.840.1.101.3.4.2.1 NIST algorithm SHA256. */
54
55 /* RFC 3729 OIDs. */
56 static const UCHAR NX_SECURE_X509_OID_DH[] = {0x2A, 0x86, 0x48, 0xCE, 0x3E, 0x02, 0x01}; /* ISO.USA.10046.2.1 - ANSI X9.42 DH public number. */
57 static const UCHAR NX_SECURE_X509_OID_DSS_SHA1[] = {0x2A, 0x86, 0x48, 0xCE, 0x38, 0x04, 0x03}; /* ISO.USA.10040.4.3 - ANSI X9-57 x9Algorithm DSA-SHA1. */
58 /*static const UCHAR NX_SECURE_X509_OID_ECC_SHA1[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x01}; */ /* ISO.USA.10045.4.1 - ANSI X9-62 ECDSA with SHA1. */
59
60 /* OIDs for X509 distinguished names.
61 ASN.1 prefix (ISO-ITU.DirectoryServices.AttributeType) :
62 id-at ::= { joint-iso-ccitt(2) ds(5) 4 }
63 DER encoding: 0x55, 0x04
64 */
65 static const UCHAR NX_SECURE_X509_OID_COMMON_NAME[] = {0x55, 0x04, 0x03}; /* ISO-ITU.DirectoryServices.AttributeType.CommonName */
66 static const UCHAR NX_SECURE_X509_OID_SURNAME[] = {0x55, 0x04, 0x04}; /* ISO-ITU.DirectoryServices.AttributeType.Surname */
67 static const UCHAR NX_SECURE_X509_OID_SERIAL_NUMBER[] = {0x55, 0x04, 0x05}; /* ISO-ITU.DirectoryServices.AttributeType.SerialNumber */
68 static const UCHAR NX_SECURE_X509_OID_COUNTRY_NAME[] = {0x55, 0x04, 0x06}; /* ISO-ITU.DirectoryServices.AttributeType.CountryName */
69 static const UCHAR NX_SECURE_X509_OID_LOCALITY[] = {0x55, 0x04, 0x07}; /* ISO-ITU.DirectoryServices.AttributeType.LocalityName */
70 static const UCHAR NX_SECURE_X509_OID_STATE[] = {0x55, 0x04, 0x08}; /* ISO-ITU.DirectoryServices.AttributeType.StateName */
71 static const UCHAR NX_SECURE_X509_OID_ORGANIZATION[] = {0x55, 0x04, 0x0A}; /* ISO-ITU.DirectoryServices.AttributeType.OrganizationName */
72 static const UCHAR NX_SECURE_X509_OID_ORG_UINT[] = {0x55, 0x04, 0x0B}; /* ISO-ITU.DirectoryServices.AttributeType.OrganizationalUnitName */
73 static const UCHAR NX_SECURE_X509_OID_TITLE[] = {0x55, 0x04, 0x0C}; /* ISO-ITU.DirectoryServices.AttributeType.Title */
74 static const UCHAR NX_SECURE_X509_OID_NAME[] = {0x55, 0x04, 0x29}; /* ISO-ITU.DirectoryServices.AttributeType.Name */
75 static const UCHAR NX_SECURE_X509_OID_GIVEN_NAME[] = {0x55, 0x04, 0x2A}; /* ISO-ITU.DirectoryServices.AttributeType.GivenName */
76 static const UCHAR NX_SECURE_X509_OID_INITIALS[] = {0x55, 0x04, 0x2B}; /* ISO-ITU.DirectoryServices.AttributeType.Initials */
77 static const UCHAR NX_SECURE_X509_OID_GENERATION[] = {0x55, 0x04, 0x2C}; /* ISO-ITU.DirectoryServices.AttributeType.GenerationQualifier */
78 static const UCHAR NX_SECURE_X509_OID_DN_QUALIFIER[] = {0x55, 0x04, 0x2E}; /* ISO-ITU.DirectoryServices.AttributeType.DnQualifier */
79 static const UCHAR NX_SECURE_X509_OID_PSEUDONYM[] = {0x55, 0x04, 0x41}; /* ISO-ITU.DirectoryServices.AttributeType.Pseudonym */
80
81 /* X.509 Certificate extensions OIDs from RFC 5280. */
82 /* id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 } */
83 /* static const UCHAR NX_SECURE_X509_OID_EXTENSIONS_PREFIX[] = {0x55, 0x1D }; */ /* 2.5.29 */
84 static const UCHAR NX_SECURE_X509_OID_DIRECTORY_ATTRIBUTES[] = {0x55, 0x1D, 0x09}; /* id-ce.9 Directory attributes extension. */
85 static const UCHAR NX_SECURE_X509_OID_SUBJECT_KEY_ID[] = {0x55, 0x1D, 0x0E}; /* id-ce.14 Subject key identifier extension. */
86 static const UCHAR NX_SECURE_X509_OID_KEY_USAGE[] = {0x55, 0x1D, 0x0F}; /* id-ce.15 Key usage extension. */
87 static const UCHAR NX_SECURE_X509_OID_SUBJECT_ALT_NAME[] = {0x55, 0x1D, 0x11}; /* id-ce.17 Subject alternative name. */
88 static const UCHAR NX_SECURE_X509_OID_ISSUER_ALT_NAME[] = {0x55, 0x1D, 0x12}; /* id-ce.18 Issuer alternative name. */
89 static const UCHAR NX_SECURE_X509_OID_BASIC_CONSTRAINTS[] = {0x55, 0x1D, 0x13}; /* id-ce.19 Basic constraints extension.*/
90 static const UCHAR NX_SECURE_X509_OID_NAME_CONSTRAINTS[] = {0x55, 0x1D, 0x1E}; /* id-ce.30 Name constraints extension.*/
91 static const UCHAR NX_SECURE_X509_OID_CRL_DISTRIBUTION[] = {0x55, 0x1D, 0x1F}; /* id-ce.31 CRL distribution points extension.*/
92 static const UCHAR NX_SECURE_X509_OID_CERTIFICATE_POLICIES[] = {0x55, 0x1D, 0x20}; /* id-ce.32 Certificate policies extension.*/
93 static const UCHAR NX_SECURE_X509_OID_ANY_POLICY[] = {0x55, 0x1D, 0x20, 0x00}; /* id-ce.32.0 anyPolicy identifier. */
94 static const UCHAR NX_SECURE_X509_OID_CERT_POLICY_MAPPINGS[] = {0x55, 0x1D, 0x21}; /* id-ce.33 Certificate policy mapping extension.*/
95 static const UCHAR NX_SECURE_X509_OID_AUTHORITY_KEY_ID[] = {0x55, 0x1D, 0x23}; /* id-ce.35 Authority key identifier extension.*/
96 static const UCHAR NX_SECURE_X509_OID_POLICY_CONSTRAINTS[] = {0x55, 0x1D, 0x24}; /* id-ce.36 Policy constraints extension.*/
97 static const UCHAR NX_SECURE_X509_OID_EXTENDED_KEY_USAGE[] = {0x55, 0x1D, 0x25}; /* id-ce.37 Extended key usage extension.*/
98 static const UCHAR NX_SECURE_X509_OID_ANY_EXTENDED_KEY_USAGE[] = {0x55, 0x1D, 0x25, 0x00}; /* id-ce.37.0 anyExtendedKeyUsage.*/
99 static const UCHAR NX_SECURE_X509_OID_FRESHEST_CRL[] = {0x55, 0x1D, 0x2E}; /* id-ce.46 Freshest CRL distribution extension.*/
100 static const UCHAR NX_SECURE_X509_OID_INHIBIT_ANYPOLICY[] = {0x55, 0x1D, 0x36}; /* id-ce.54 Inhibit anyPolicy extension.*/
101
102
103 /* X.509 Private Internet extensions OIDs from RFC 5280. */
104 /* id-pkix OBJECT IDENTIFIER ::=
105 { iso(1) identified-organization(3) dod(6) internet(1)
106 security(5) mechanisms(5) pkix(7) }
107
108 id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
109 id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
110 */
111 /* static const UCHAR NX_SECURE_X509_OID_PKIX_PREFIX[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07 }; */ /* 1.3.6.1.5.5.7 */
112 static const UCHAR NX_SECURE_X509_OID_PKIX_EXT_PREFIX[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01}; /* id-pkix.1 (id-pe) */
113 static const UCHAR NX_SECURE_X509_OID_PKIX_AIA[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01}; /* id-pe.1 Authority Information Access PKIX extension. */
114 static const UCHAR NX_SECURE_X509_OID_PKIX_SIA[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x0B}; /* id-pe.11 Subject Information Access PKIX extension. */
115 static const UCHAR NX_SECURE_X509_OID_PKIX_QT[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02}; /* id-pkix.2 Policy prefix (id-qt). */
116 static const UCHAR NX_SECURE_X509_OID_PKIX_QT_CPS[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01}; /* id-qt.1 CPS Policy. */
117 static const UCHAR NX_SECURE_X509_OID_PKIX_QT_UNOTICE[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02}; /* id-qt.2 Unotice Policy prefix. */
118
119 /* Extended key usage extension OIDs. */
120 static const UCHAR NX_SECURE_X509_OID_PKIX_KP[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03}; /* id-pkix.3 (id-kp) */
121 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_SERVER_AUTH[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x1}; /* id-pkix.3.1 Server authentication. */
122 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_CLIENT_AUTH[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x2}; /* id-pkix.3.2 Client authentication. */
123 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_CODE_SIGNING[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x3}; /* id-pkix.3.3 Code signing. */
124 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_EMAIL_PROTECT[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x4}; /* id-pkix.3.4 Email protection. */
125 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_TIME_STAMPING[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x8}; /* id-pkix.3.8 Time stamping. */
126 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_OCSP_SIGNING[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x9}; /* id-pkix.3.9 OCSP signing. */
127
128 /* Miscellaneous OIDs. */
129 static const UCHAR NX_SECURE_X509_OID_NETSCAPE_COMMENT[] = {0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d};
130
131 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE
132 /* RFC 5480 OIDs. */
133 static const UCHAR NX_SECURE_X509_OID_EC[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01}; /* ISO.USA.10045.2.1 - ANSI X9.62 EC public key. */
134 static const UCHAR NX_SECURE_X509_OID_SECP192R1[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x01}; /* ISO.USA.10045.3.1.1 - Named curve: secp192r1. */
135 static const UCHAR NX_SECURE_X509_OID_SECP224R1[] = {0x2B, 0x81, 0x04, 0x00, 0x21}; /* ISO.Identified Organization.Certicom.curve.33 - Named curve: secp224r1. */
136 static const UCHAR NX_SECURE_X509_OID_SECP256R1[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07}; /* ISO.USA.10045.3.1.7 - Named curve: secp256r1. */
137 static const UCHAR NX_SECURE_X509_OID_SECP384R1[] = {0x2B, 0x81, 0x04, 0x00, 0x22}; /* ISO.Identified Organization.Certicom.curve.34 - Named curve: secp384r1. */
138 static const UCHAR NX_SECURE_X509_OID_SECP521R1[] = {0x2B, 0x81, 0x04, 0x00, 0x23}; /* ISO.Identified Organization.Certicom.curve.35 - Named curve: secp521r1. */
139 static const UCHAR NX_SECURE_X509_OID_ECDSA_SHA1[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x01}; /* ISO.USA.10045.4.1 - ecdsa-with-SHA1. */
140 static const UCHAR NX_SECURE_X509_OID_ECDSA_SHA224[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x01}; /* ISO.USA.10045.4.3.1 - ecdsa-with-SHA224. */
141 static const UCHAR NX_SECURE_X509_OID_ECDSA_SHA256[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02}; /* ISO.USA.10045.4.3.2 - ecdsa-with-SHA256. */
142 static const UCHAR NX_SECURE_X509_OID_ECDSA_SHA384[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03}; /* ISO.USA.10045.4.3.3 - ecdsa-with-SHA384. */
143 static const UCHAR NX_SECURE_X509_OID_ECDSA_SHA512[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x04}; /* ISO.USA.10045.4.3.4 - ecdsa-with-SHA512. */
144 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */
145
146 /* Lookup table for OID to type mapping. */
147 typedef struct NX_SECURE_X509_OID_MAP_STRUCT
148 {
149 UINT nx_secure_oid_map_type;
150
151 const UCHAR *nx_secure_oid_map_oid;
152
153 UINT nx_secure_oid_map_oid_size;
154 } NX_SECURE_X509_OID_MAP;
155
156 NX_SECURE_X509_OID_MAP _nx_secure_x509_oid_map[] =
157 {
158 {NX_SECURE_TLS_X509_TYPE_RSA, NX_SECURE_X509_OID_RSA, sizeof(NX_SECURE_X509_OID_RSA)},
159 {NX_SECURE_TLS_X509_TYPE_RSA_MD5, NX_SECURE_X509_OID_RSA_MD5, sizeof(NX_SECURE_X509_OID_RSA_MD5)},
160 {NX_SECURE_TLS_X509_TYPE_RSA_SHA_1, NX_SECURE_X509_OID_RSA_SHA1, sizeof(NX_SECURE_X509_OID_RSA_SHA1)},
161 {NX_SECURE_TLS_X509_TYPE_RSA_SHA_256, NX_SECURE_X509_OID_RSA_SHA256, sizeof(NX_SECURE_X509_OID_RSA_SHA256)},
162 {NX_SECURE_TLS_X509_TYPE_RSA_SHA_384, NX_SECURE_X509_OID_RSA_SHA384, sizeof(NX_SECURE_X509_OID_RSA_SHA384)},
163 {NX_SECURE_TLS_X509_TYPE_RSA_SHA_512, NX_SECURE_X509_OID_RSA_SHA512, sizeof(NX_SECURE_X509_OID_RSA_SHA512)},
164 {NX_SECURE_TLS_X509_TYPE_DH, NX_SECURE_X509_OID_DH, sizeof(NX_SECURE_X509_OID_DH)},
165 {NX_SECURE_TLS_X509_TYPE_DSS_SHA_1, NX_SECURE_X509_OID_DSS_SHA1, sizeof(NX_SECURE_X509_OID_DSS_SHA1)},
166 {NX_SECURE_TLS_X509_TYPE_COMMON_NAME, NX_SECURE_X509_OID_COMMON_NAME, sizeof(NX_SECURE_X509_OID_COMMON_NAME)},
167 {NX_SECURE_TLS_X509_TYPE_COUNTRY, NX_SECURE_X509_OID_COUNTRY_NAME, sizeof(NX_SECURE_X509_OID_COUNTRY_NAME)},
168 {NX_SECURE_TLS_X509_TYPE_LOCALITY, NX_SECURE_X509_OID_LOCALITY, sizeof(NX_SECURE_X509_OID_LOCALITY)},
169 {NX_SECURE_TLS_X509_TYPE_STATE, NX_SECURE_X509_OID_STATE, sizeof(NX_SECURE_X509_OID_STATE)},
170 {NX_SECURE_TLS_X509_TYPE_ORGANIZATION, NX_SECURE_X509_OID_ORGANIZATION, sizeof(NX_SECURE_X509_OID_ORGANIZATION)},
171 {NX_SECURE_TLS_X509_TYPE_ORG_UNIT, NX_SECURE_X509_OID_ORG_UINT, sizeof(NX_SECURE_X509_OID_ORG_UINT)},
172 {NX_SECURE_TLS_X509_TYPE_DIRECTORY_ATTRIBUTES , NX_SECURE_X509_OID_DIRECTORY_ATTRIBUTES , sizeof(NX_SECURE_X509_OID_DIRECTORY_ATTRIBUTES)},
173 {NX_SECURE_TLS_X509_TYPE_SUBJECT_KEY_ID , NX_SECURE_X509_OID_SUBJECT_KEY_ID , sizeof(NX_SECURE_X509_OID_SUBJECT_KEY_ID)},
174 {NX_SECURE_TLS_X509_TYPE_KEY_USAGE , NX_SECURE_X509_OID_KEY_USAGE , sizeof(NX_SECURE_X509_OID_KEY_USAGE)},
175 {NX_SECURE_TLS_X509_TYPE_SUBJECT_ALT_NAME , NX_SECURE_X509_OID_SUBJECT_ALT_NAME , sizeof(NX_SECURE_X509_OID_SUBJECT_ALT_NAME)},
176 {NX_SECURE_TLS_X509_TYPE_ISSUER_ALT_NAME , NX_SECURE_X509_OID_ISSUER_ALT_NAME , sizeof(NX_SECURE_X509_OID_ISSUER_ALT_NAME)},
177 {NX_SECURE_TLS_X509_TYPE_BASIC_CONSTRAINTS , NX_SECURE_X509_OID_BASIC_CONSTRAINTS , sizeof(NX_SECURE_X509_OID_BASIC_CONSTRAINTS)},
178 {NX_SECURE_TLS_X509_TYPE_NAME_CONSTRAINTS , NX_SECURE_X509_OID_NAME_CONSTRAINTS , sizeof(NX_SECURE_X509_OID_NAME_CONSTRAINTS)},
179 {NX_SECURE_TLS_X509_TYPE_CRL_DISTRIBUTION , NX_SECURE_X509_OID_CRL_DISTRIBUTION , sizeof(NX_SECURE_X509_OID_CRL_DISTRIBUTION)},
180 {NX_SECURE_TLS_X509_TYPE_CERTIFICATE_POLICIES , NX_SECURE_X509_OID_CERTIFICATE_POLICIES , sizeof(NX_SECURE_X509_OID_CERTIFICATE_POLICIES)},
181 {NX_SECURE_TLS_X509_TYPE_CERT_POLICY_MAPPINGS , NX_SECURE_X509_OID_CERT_POLICY_MAPPINGS , sizeof(NX_SECURE_X509_OID_CERT_POLICY_MAPPINGS)},
182 {NX_SECURE_TLS_X509_TYPE_AUTHORITY_KEY_ID , NX_SECURE_X509_OID_AUTHORITY_KEY_ID , sizeof(NX_SECURE_X509_OID_AUTHORITY_KEY_ID)},
183 {NX_SECURE_TLS_X509_TYPE_POLICY_CONSTRAINTS , NX_SECURE_X509_OID_POLICY_CONSTRAINTS , sizeof(NX_SECURE_X509_OID_POLICY_CONSTRAINTS)},
184 {NX_SECURE_TLS_X509_TYPE_EXTENDED_KEY_USAGE , NX_SECURE_X509_OID_EXTENDED_KEY_USAGE , sizeof(NX_SECURE_X509_OID_EXTENDED_KEY_USAGE)},
185 {NX_SECURE_TLS_X509_TYPE_ANY_EXTENDED_KEY_USAGE, NX_SECURE_X509_OID_ANY_EXTENDED_KEY_USAGE, sizeof(NX_SECURE_X509_OID_ANY_EXTENDED_KEY_USAGE)},
186 {NX_SECURE_TLS_X509_TYPE_FRESHEST_CRL , NX_SECURE_X509_OID_FRESHEST_CRL , sizeof(NX_SECURE_X509_OID_FRESHEST_CRL)},
187 {NX_SECURE_TLS_X509_TYPE_INHIBIT_ANYPOLICY , NX_SECURE_X509_OID_INHIBIT_ANYPOLICY , sizeof(NX_SECURE_X509_OID_INHIBIT_ANYPOLICY)},
188 {NX_SECURE_TLS_X509_TYPE_SURNAME , NX_SECURE_X509_OID_SURNAME , sizeof(NX_SECURE_X509_OID_SURNAME)},
189 {NX_SECURE_TLS_X509_TYPE_SERIAL_NUMBER , NX_SECURE_X509_OID_SERIAL_NUMBER , sizeof(NX_SECURE_X509_OID_SERIAL_NUMBER)},
190 {NX_SECURE_TLS_X509_TYPE_TITLE , NX_SECURE_X509_OID_TITLE , sizeof(NX_SECURE_X509_OID_TITLE)},
191 {NX_SECURE_TLS_X509_TYPE_NAME , NX_SECURE_X509_OID_NAME , sizeof(NX_SECURE_X509_OID_NAME)},
192 {NX_SECURE_TLS_X509_TYPE_GIVEN_NAME , NX_SECURE_X509_OID_GIVEN_NAME , sizeof(NX_SECURE_X509_OID_GIVEN_NAME)},
193 {NX_SECURE_TLS_X509_TYPE_INITIALS , NX_SECURE_X509_OID_INITIALS , sizeof(NX_SECURE_X509_OID_INITIALS)},
194 {NX_SECURE_TLS_X509_TYPE_GENERATION , NX_SECURE_X509_OID_GENERATION , sizeof(NX_SECURE_X509_OID_GENERATION)},
195 {NX_SECURE_TLS_X509_TYPE_DN_QUALIFIER , NX_SECURE_X509_OID_DN_QUALIFIER , sizeof(NX_SECURE_X509_OID_DN_QUALIFIER)},
196 {NX_SECURE_TLS_X509_TYPE_PSEUDONYM , NX_SECURE_X509_OID_PSEUDONYM , sizeof(NX_SECURE_X509_OID_PSEUDONYM)},
197 {NX_SECURE_TLS_X509_TYPE_PKIX_EXT_PREFIX , NX_SECURE_X509_OID_PKIX_EXT_PREFIX , sizeof(NX_SECURE_X509_OID_PKIX_EXT_PREFIX)},
198 {NX_SECURE_TLS_X509_TYPE_PKIX_AIA , NX_SECURE_X509_OID_PKIX_AIA , sizeof(NX_SECURE_X509_OID_PKIX_AIA)},
199 {NX_SECURE_TLS_X509_TYPE_PKIX_SIA , NX_SECURE_X509_OID_PKIX_SIA , sizeof(NX_SECURE_X509_OID_PKIX_SIA)},
200 {NX_SECURE_TLS_X509_TYPE_NETSCAPE_COMMENT , NX_SECURE_X509_OID_NETSCAPE_COMMENT , sizeof(NX_SECURE_X509_OID_NETSCAPE_COMMENT)},
201 {NX_SECURE_TLS_X509_TYPE_ANY_POLICY , NX_SECURE_X509_OID_ANY_POLICY , sizeof(NX_SECURE_X509_OID_ANY_POLICY)},
202 {NX_SECURE_TLS_X509_TYPE_PKIX_QT , NX_SECURE_X509_OID_PKIX_QT , sizeof(NX_SECURE_X509_OID_PKIX_QT)},
203 {NX_SECURE_TLS_X509_TYPE_PKIX_QT_CPS , NX_SECURE_X509_OID_PKIX_QT_CPS , sizeof(NX_SECURE_X509_OID_PKIX_QT_CPS)},
204 {NX_SECURE_TLS_X509_TYPE_PKIX_QT_UNOTICE , NX_SECURE_X509_OID_PKIX_QT_UNOTICE , sizeof(NX_SECURE_X509_OID_PKIX_QT_UNOTICE)},
205 {NX_SECURE_TLS_X509_TYPE_PKIX_KP , NX_SECURE_X509_OID_PKIX_KP , sizeof(NX_SECURE_X509_OID_PKIX_KP)},
206 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_SERVER_AUTH , NX_SECURE_X509_OID_PKIX_KP_SERVER_AUTH , sizeof(NX_SECURE_X509_OID_PKIX_KP_SERVER_AUTH)},
207 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_CLIENT_AUTH , NX_SECURE_X509_OID_PKIX_KP_CLIENT_AUTH , sizeof(NX_SECURE_X509_OID_PKIX_KP_CLIENT_AUTH)},
208 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_CODE_SIGNING , NX_SECURE_X509_OID_PKIX_KP_CODE_SIGNING , sizeof(NX_SECURE_X509_OID_PKIX_KP_CODE_SIGNING)},
209 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_EMAIL_PROTECT , NX_SECURE_X509_OID_PKIX_KP_EMAIL_PROTECT , sizeof(NX_SECURE_X509_OID_PKIX_KP_EMAIL_PROTECT)},
210 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_TIME_STAMPING , NX_SECURE_X509_OID_PKIX_KP_TIME_STAMPING , sizeof(NX_SECURE_X509_OID_PKIX_KP_TIME_STAMPING)},
211 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_OCSP_SIGNING , NX_SECURE_X509_OID_PKIX_KP_OCSP_SIGNING , sizeof(NX_SECURE_X509_OID_PKIX_KP_OCSP_SIGNING)},
212 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE
213 {NX_SECURE_TLS_X509_TYPE_EC , NX_SECURE_X509_OID_EC , sizeof(NX_SECURE_X509_OID_EC)},
214 {NX_SECURE_TLS_X509_EC_SECP192R1 , NX_SECURE_X509_OID_SECP192R1 , sizeof(NX_SECURE_X509_OID_SECP192R1)},
215 {NX_SECURE_TLS_X509_EC_SECP224R1 , NX_SECURE_X509_OID_SECP224R1 , sizeof(NX_SECURE_X509_OID_SECP224R1)},
216 {NX_SECURE_TLS_X509_EC_SECP256R1 , NX_SECURE_X509_OID_SECP256R1 , sizeof(NX_SECURE_X509_OID_SECP256R1)},
217 {NX_SECURE_TLS_X509_EC_SECP384R1 , NX_SECURE_X509_OID_SECP384R1 , sizeof(NX_SECURE_X509_OID_SECP384R1)},
218 {NX_SECURE_TLS_X509_EC_SECP521R1 , NX_SECURE_X509_OID_SECP521R1 , sizeof(NX_SECURE_X509_OID_SECP521R1)},
219 {NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_1 , NX_SECURE_X509_OID_ECDSA_SHA1 , sizeof(NX_SECURE_X509_OID_ECDSA_SHA1)},
220 {NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_224 , NX_SECURE_X509_OID_ECDSA_SHA224 , sizeof(NX_SECURE_X509_OID_ECDSA_SHA224)},
221 {NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_256 , NX_SECURE_X509_OID_ECDSA_SHA256 , sizeof(NX_SECURE_X509_OID_ECDSA_SHA256)},
222 {NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_384 , NX_SECURE_X509_OID_ECDSA_SHA384 , sizeof(NX_SECURE_X509_OID_ECDSA_SHA384)},
223 {NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_512 , NX_SECURE_X509_OID_ECDSA_SHA512 , sizeof(NX_SECURE_X509_OID_ECDSA_SHA512)},
224 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */
225 };
226
227 static const UINT _nx_secure_x509_oid_map_size = sizeof(_nx_secure_x509_oid_map) / sizeof(NX_SECURE_X509_OID_MAP);
228
229 /**************************************************************************/
230 /* */
231 /* FUNCTION RELEASE */
232 /* */
233 /* _nx_secure_x509_oid_parse PORTABLE C */
234 /* 6.1.6 */
235 /* AUTHOR */
236 /* */
237 /* Timothy Stapko, Microsoft Corporation */
238 /* */
239 /* DESCRIPTION */
240 /* */
241 /* This function parses a DER-encoded Object Identifier (OID) string */
242 /* and returns an internally-defined constant for further use in X.509 */
243 /* parsing routines. */
244 /* */
245 /* INPUT */
246 /* */
247 /* oid OID data to be parsed */
248 /* length Length of OID data in buffer */
249 /* oid_value Return OID internal integer */
250 /* */
251 /* OUTPUT */
252 /* */
253 /* None */
254 /* */
255 /* CALLS */
256 /* */
257 /* None */
258 /* */
259 /* CALLED BY */
260 /* */
261 /* _nx_secure_x509_crl_signature_algorithm_parse */
262 /* Parse signature algorithm in */
263 /* _nx_secure_x509_distinguished_name_parse */
264 /* Parse Distinguished Name */
265 /* _nx_secure_x509_extension_find Find extension in certificate */
266 /* _nx_secure_x509_extended_key_usage_extension_parse */
267 /* Parse Extended KeyUsage */
268 /* extension */
269 /* _nx_secure_x509_parse_public_key Parse public key in */
270 /* certificate */
271 /* _nx_secure_x509_parse_signature_algorithm */
272 /* Parse signature algorithm in */
273 /* _nx_secure_x509_policy_qualifiers_parse */
274 /* Parse policy qualifiers */
275 /* */
276 /* RELEASE HISTORY */
277 /* */
278 /* DATE NAME DESCRIPTION */
279 /* */
280 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */
281 /* 09-30-2020 Timothy Stapko Modified comment(s), */
282 /* resulting in version 6.1 */
283 /* 04-02-2021 Timothy Stapko Modified comment(s), */
284 /* removed dependency on TLS, */
285 /* resulting in version 6.1.6 */
286 /* */
287 /**************************************************************************/
_nx_secure_x509_oid_parse(const UCHAR * oid,ULONG length,UINT * oid_value)288 VOID _nx_secure_x509_oid_parse(const UCHAR *oid, ULONG length, UINT *oid_value)
289 {
290 INT compare_val;
291 UINT i;
292
293 /* Check for OID type. */
294 for (i = 0; i < _nx_secure_x509_oid_map_size; ++i)
295 {
296 /* Make sure the length isn't greater than the size of the OID we are comparing against. */
297 if (length <= _nx_secure_x509_oid_map[i].nx_secure_oid_map_oid_size)
298 {
299 compare_val = NX_SECURE_MEMCMP(oid, _nx_secure_x509_oid_map[i].nx_secure_oid_map_oid, _nx_secure_x509_oid_map[i].nx_secure_oid_map_oid_size);
300 if (compare_val == 0)
301 {
302 *oid_value = _nx_secure_x509_oid_map[i].nx_secure_oid_map_type;
303 return;
304 }
305 }
306 }
307
308 *oid_value = NX_SECURE_TLS_X509_TYPE_UNKNOWN;
309 }
310
311
